Kucoin Twitter account hacked, $22k lost

PX-Z

legendary

Activity: 1554

Merit: 880

Wallet transaction notifier @txnNotifierBot

Quote from: Rikafip on April 29, 2023, 03:15:13 PM

Quote from: ololajulo on April 29, 2023, 03:10:19 PM

My apologies but how did the kucoin twitter account hack allow access to the exchange fund? Does this make a difference to everyone who has a Twitter account and cryptocurrency?

Its not the exchange that got hacked, but Kucoin Twitter account that attacker then used to share phishing link.

To be precise, kucoin twitter was hacked and tweet a fake giveaway scam that leads by accessing the phishing site and got scammed. So no exchange was hacked particularly.

It doesn't mention how the scam happened particularly if its the users send the funds particularly from their kucoin accounts or the scammers/hackers login to their users' account and withdraws their assets. If its the latter, kucoin should implement another security that it disabled from withdrawing in 24 hours after logging in a new device, or needs a sms, email and 2fa verification for withdrawals using a new logged in device.

Rikafip

legendary

Activity: 1722

Merit: 5937

Quote from: eaLiTy on April 29, 2023, 02:40:03 PM

It is surprising that Kucoin is reimbursing users that lost money because of the hack in Twitter

I don't think that its surprising at all since their account got hacked due their own mistake and no one else's. Imho, its the least that they could so.

Quote from: ololajulo on April 29, 2023, 03:10:19 PM

My apologies but how did the kucoin twitter account hack allow access to the exchange fund? Does this make a difference to everyone who has a Twitter account and cryptocurrency?

Its not the exchange that got hacked, but Kucoin Twitter account that attacker then used to share phishing link.

ololajulo

sr. member

Activity: 2240

Merit: 270

SOL.BIOKRIPT.COM

Quote from: PX-Z on April 24, 2023, 06:29:19 PM

What a shame, but still kudos reimbursing the users affected. I don't know how their handle was hacked, isn't 2fa is ~~forced~~required to every verified handle in twitter? How is it possible though to breach 2fa?

Quote from: Rikafip on April 24, 2023, 03:27:53 PM

Contrary to popular belief 2FA is not impenetrable, especially if they used mobile phone number.

I guess sms 2fa is not available on twitter, i remember elon doesn't like 2fa and keep tweeting it previously.

My apologies but how did the kucoin twitter account hack allow access to the exchange fund? Does this make a difference to everyone who has a Twitter account and cryptocurrency?

eaLiTy

hero member

Activity: 2814

Merit: 911

Have Fun )@@( Stay Safe

Quote from: PX-Z on April 24, 2023, 06:29:19 PM

What a shame, but still kudos reimbursing the users affected. I don't know how their handle was hacked, isn't 2fa is ~~forced~~required to every verified handle in twitter? How is it possible though to breach 2fa?

It is surprising that Kucoin is reimbursing users that lost money because of the hack in Twitter ~~as majority might have sent money thinking that they are doubling the amount, the usual scam that takes place in this space~~ Posted a phishing link in their Twitter handle and thereby lost money and hence they are doing the right thing by reimbursing the users.

The verification process in Twitter changed after Elon Musk took over as anyone paying $8 can get verified, so i doubt there will be mandatory 2 FA.

Quote from: Rikafip on April 29, 2023, 03:15:13 PM

Quote from: eaLiTy on April 29, 2023, 02:40:03 PM

It is surprising that Kucoin is reimbursing users that lost money because of the hack in Twitter

I don't think that its surprising at all since their account got hacked due their own mistake and no one else's. Imho, its the least that they could so.

I retracted my statement because it was a phishing link, when i initially posted them i thought it was a doubling scam and they are doing the right thing.

Fact remains that, it is not safe to click on any random link when you log into exchange even through their official social media handle. Users need to be responsible when financial assets are at stake to avoid these mishaps.

Rikafip

legendary

Activity: 1722

Merit: 5937

Quote from: Husires on April 28, 2023, 09:05:23 PM

Do any of you have any snapshots of the nature of the scam that happened? Are they links to access your account, double money scam, free gift trick or what?

It was a pretty basic scam attempt in which attacker shared fake Kucoin website and promised free money. People fall for these type of scams even without announcement coming from the exchange's official Twitter account so I am actually surprised that more people didn't lose money.

https://twitter.com/NFTherder/status/1650272867785777153

Husires

legendary

Activity: 1596

Merit: 1288

Do any of you have any snapshots of the nature of the scam that happened? Are they links to access your account, double money scam, free gift trick or what? In just 45 minutes, and through tweets, a scammer can collect more than 20k USD, which is not a small amount, and it is additional evidence that many cryptocurrency users need more awareness and investment in learning than losing their money in such ways.

I wish their cold/hot storage is managed by a more professional team.

Accardo

hero member

Activity: 1330

Merit: 568

Leading Crypto Sports Betting & Casino Platform

Quote from: Rikafip on April 24, 2023, 03:27:53 PM

Quote from: Accardo on April 24, 2023, 09:16:03 AM

Isn't it supposed to be an inside job, since they claim without any proofs that they had twitter 2fa enabled?

If it was an inside job, then it was a pretty bad one. 22k is nothing compoared to some bigger hacks and somehow I doubt that someone from Kucoin would risk so much for so little. By the way, how exactly could they prove that they had 2FA enabled? You either belive what they claim, or not.

Inside job in such scam as this one, isn't one sided, it could also be from the twitter side. I could remember when the likes of Barack Obama's twitter account was hijacked and used for a similar scam, the hackers, teenage boys, when apprehended said that they tricked, through spearphishing, an insider on twitter who helped them execute the task and bypassed them to tweet with accounts owned by top celebrities. A scam, however severely, is simply bad. Hence, the stolen amount shouldn't be considered as the only reason why their twitter account was hijacked. They could be some information that the hacker needed to get on the Kucoin twitter page, exaggerating, then dropped the tweet. And I don't think they were right about how long the account was on the hacker's custody, as they judged from the moment the tweet was made to the time they were aware of what's happening.

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: TopTort777 on April 25, 2023, 07:10:52 AM

So how exactly people have lost those 22k? With famous "Elon Musk donation" scam, that was and still popular in YouTube? It is unbelievable how people still got caught for that. Of course that is due to greed, but KuCoin and Twitter are also responsible for letting that happen.

According to some news, when the hacker was in control of the Kucoin account they tweeted some phishing websites. So it is safe to assume some users assume it was a legit one, connect their hot wallet to it, and then they lost their funds. I can't verify it myself, but there have been many similar phishing scams in the past, so it is not unlikely. People should've learned by now to never connect their account/wallet to some shady website even if it was posted by a famous account.

Rikafip

legendary

Activity: 1722

Merit: 5937

Quote from: dkbit98 on April 25, 2023, 03:54:34 PM

Well they have ''blue checkmark'' sign of ''trust'' and because of that brainwashed people are going to send money to scammers without thinking, because thinking is luxury and it's hard Tongue

To be more precise, Kucoin twitter account has that golden/yellow mark that is reserved for businesses, but even without that mark people would still send the money as its posted from the official Kucoin account. But yeah, thinking is hard. Roll Eyes

Quote from: dkbit98 on April 25, 2023, 03:54:34 PM

It was stupid mistake by Kucoin admins, but I wouldn't say 22k is small amount for 45 minutes of control, imagine the damage they would do if they had 24 hours or more control...

Dunno, considering how big and popular Kucoin is I think that they should be lucky that only 22k was lost. They said that they will reimburse the loss so lets hope they actually do that.

Potato Chips

hero member

Activity: 2786

Merit: 902

yesssir! 🫡

Quote from: Dr.Bitcoin_Strange on April 25, 2023, 12:50:42 PM

So practically, Google 2FA is the best? or one can even enable the three types of 2FA if possible, such as SMS, email, and Google 2FA?

Compared to SMS and email, TOTP/auth app is way better however, I suggest Aegis rather than Google Auth. It offers encryption, easier import/export function and less likely to be neglected by devs, see: https://getaegis.app/

Looks like you can enable more than one 2fa but I suggest not connecting any phone number in your account since it could be used to reset your password. It wouldn't be advisable to be careless about our passwords just because we have 2fa. I also suggest using an email provider where you can pair your account with TOTP.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: Rikafip on April 24, 2023, 12:38:54 AM

As you can see from the screenshots below, Kucoin Twitter account giot hacked last night and attacked managed to get $22k from unsuspected Kucoin followers. Luckily they regained the control after ~45 minutes so loss is not too big, but its still an embarassment, especially since they allegedly had 2FA enabled as well.

Well they have ''blue checkmark'' sign of ''trust'' and because of that brainwashed people are going to send money to scammers without thinking, because thinking is luxury and it's hard Tongue

It was stupid mistake by Kucoin admins, but I wouldn't say 22k is small amount for 45 minutes of control, imagine the damage they would do if they had 24 hours or more control...

tabas

hero member

Activity: 3234

Merit: 775

🌀 Cosmic Casino

This made me remember the hack that has also affected a lot of Twitter users that have followed the advice of those known personalities to deposit into certain address and that was made by just a young one. Although for some standards, 45 minutes of getting back the account was still a nice gesture and refunding all of those verified funds that has been sent by the victims is the best that they can. These hackers may soon not gonna target users directly but these huge accounts from official exchanges or personalities which is gonna make everyone gullible since they're known.

Quote from: Dr.Bitcoin_Strange on April 25, 2023, 12:50:42 PM

Quote from: Rikafip on April 25, 2023, 06:07:19 AM

2FA is good enough as long as you don't use SMS option

So practically, Google 2FA is the best? or one can even enable the three types of 2FA if possible, such as SMS, email, and Google 2FA?

Others are using Authy and yes, through SMS and email can easily be accessed by hackers once your data has been breached. There's this known sim-swap attack that does the thing.

Dr.Bitcoin_Strange

hero member

Activity: 826

Merit: 552

Leading Crypto Sports Betting & Casino Platform

At least it's good that they gain access back on time; the $22k loss is huge too, but it would have been worse had it extend to $$ billion, which may have even resulted in their exchange collapse. Mostly, these reasons are why Bitcoiners are advised not to keep their assets on CEX unless active traders, like future traders.

Quote from: Rikafip on April 25, 2023, 06:07:19 AM

2FA is good enough as long as you don't use SMS option

So practically, Google 2FA is the best? or one can even enable the three types of 2FA if possible, such as SMS, email, and Google 2FA?

TopTort777

legendary

Activity: 2534

Merit: 1501

So how exactly people have lost those 22k? With famous "Elon Musk donation" scam, that was and still popular in YouTube? It is unbelievable how people still got caught for that. Of course that is due to greed, but KuCoin and Twitter are also responsible for letting that happen.

Since people pay more than a thousand bucks per month for that golden twitter mark, I believe that twitter should take park of responsibility for such lame security options. Otherwise Twitter service does not look to worth so much to be paid.

Rikafip

legendary

Activity: 1722

Merit: 5937

Quote from: Smack That Ace on April 25, 2023, 04:39:24 AM

I'm no tech expert, but hacking 2FA isn't easy. I am also very confused with this, even 2FA is easily broken, do we have a more secure solution for our accounts?

2FA is good enough as long as you don't use SMS option.

Quote from: Smack That Ace on April 25, 2023, 04:39:24 AM

If hackers can attack 2FA-enabled accounts, why don't they choose Binance, Coinbase... the bigger exchanges, and even Elon's account. They only target smaller accounts, which makes me more suspicious this is done by company employees than hackers.

And who says that they are not trying? Its one thing to try to hack 2FA and entirely different thing to actually succeed in it, and bigger the account (presumably) better the protection. Btw, Kucoin Twitter account is far from small.

Quote from: yhiaali3 on April 25, 2023, 05:23:08 AM

Unfortunately for Twitter, after the Elon Musk takeover, there is a huge flaw in two-factor authentication because Elon Musk announced plans to prevent people from using SMS-based two-factor authentication to secure their accounts — unless they start paying for a Twitter Blue subscription.

Its a douchebag move for sure, but Elon is inadvertently doing them a favor by making them move from SMS based one since its the least secure form of 2FA.

yhiaali3

legendary

Activity: 1848

Merit: 1982

Payment Gateway Allows Recurring Payments

Quote from: Smack That Ace on April 25, 2023, 04:39:24 AM

I'm no tech expert, but hacking 2FA isn't easy. I am also very confused with this, even 2FA is easily broken, do we have a more secure solution for our accounts? I read this today, and I also suspect that the Kucoin staff did this and did not get hacked.
If hackers can attack 2FA-enabled accounts, why don't they choose Binance, Coinbase... the bigger exchanges, and even Elon's account. They only target smaller accounts, which makes me more suspicious this is done by company employees than hackers.

Hacking 2FA is hard but not impossible, but this varies depending on the conditions Service, some of them have a strict policy in this regard, but others unfortunately suffice with an email or SMS for the linked account.

Unfortunately for Twitter, after the Elon Musk takeover, there is a huge flaw in two-factor authentication because Elon Musk announced plans to prevent people from using SMS-based two-factor authentication to secure their accounts — unless they start paying for a Twitter Blue subscription.

Quote

Elon Musk's latest Twitter ownership bizarre move compromises the security of millions of accounts. On February 17, Twitter announced plans to block people from using SMS-based two-factor authentication to secure their accounts — unless they start paying for a Twitter Blue subscription. However, there are safer, free, and easier ways to continue protecting your Twitter account with two-factor authentication.

The full article can be read here:
How to Protect Yourself From Twitter’s 2FA Crackdown
https://www.wired.com/story/twitter-2fa-sms-alternatives-twitter-blue/

Smack That Ace

legendary

Activity: 2030

Merit: 1109

Free Free Palestine

Quote from: yhiaali3 on April 24, 2023, 08:48:40 PM

Hacking the account with 2FA enabled is not impossible, but it also indicates the possibility that the perpetrator is one of Kucoin's employees, but there is no evidence of such a possibility.

I'm no tech expert, but hacking 2FA isn't easy. I am also very confused with this, even 2FA is easily broken, do we have a more secure solution for our accounts? I read this today, and I also suspect that the Kucoin staff did this and did not get hacked.
If hackers can attack 2FA-enabled accounts, why don't they choose Binance, Coinbase... the bigger exchanges, and even Elon's account. They only target smaller accounts, which makes me more suspicious this is done by company employees than hackers.

Rikafip

legendary

Activity: 1722

Merit: 5937

Quote from: PX-Z on April 24, 2023, 06:29:19 PM

I guess sms 2fa is not available on twitter, i remember elon doesn't like 2fa and keep tweeting it previously.

As a matter of fact, 2FA via SMS is available on Twitter (they have two more: authentication app and security key) and since SMS one is easiest to hack, my guess is that attacker did exactly that. We can only guess though since I doubt Kucoin will release more info on how exactly they lost control over their Twitter account.

Quote from: yhiaali3 on April 24, 2023, 08:48:40 PM

The important thing from this lesson is that users learn not to trust suspicious statements, even if they are from the official account, because it may be hacked in such a case.

To be honest, I am surprised that more people didn't fall for this scam attempt and that only $22k was lost. Rest assured, people didn't learn much (if anything) from this and if it happens again people will lose more money.

Potato Chips

hero member

Activity: 2786

Merit: 902

yesssir! 🫡

Quote from: PX-Z on April 24, 2023, 06:29:19 PM

I don't know how their handle was hacked, isn't 2fa is ~~forced~~required to every verified handle in twitter? How is it possible though to breach 2fa?

Assuming it's not an inside job and the 2fa is not SMS, simplest way would be to launch a phishing attack to one of their twitter handlers. Even the strong password + TOTP combo would be rendered useless once an employee bites.

It's also possible the perps may just be mass sending phishing emails and SMS to leaked phone numbers/email and one of them happened to have access to kucoin's twitter account Cheesy

yhiaali3

legendary

Activity: 1848

Merit: 1982

Payment Gateway Allows Recurring Payments

Hacks always happen, the good thing this time is that the losses are not very big because the account was restored after a short period, also that Kucoin will compensate the affected users.

Hacking the account with 2FA enabled is not impossible, but it also indicates the possibility that the perpetrator is one of Kucoin's employees, but there is no evidence of such a possibility.

The important thing from this lesson is that users learn not to trust suspicious statements, even if they are from the official account, because it may be hacked in such a case.

Topic: Kucoin Twitter account hacked, $22k lost (Read 298 times)